You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

I am using a gateway computer that isn't infected to type. My issue started when I was browsing with an IBM Thinkpad and I got the fake anti-virus (the sort of thing I've gotten before). I immeditely went to proceses and noticed something called ping.exe that was using a lot of memory. I would end the process and it would reappear a few seconds later. I ran malware bytes but it didn't find anything. I ran Norton Power Eraser and it found something and required a reboot. After a reboot, I still had the infection. I tried system restore and it froze every time and did not complete. I tried registry cleaners that didn't solve the issue. I posted here and after trying more things on the Thinkpad, simultaneously the gateway computer became infected (it seems it was a website I visited) and after a scan, a system restore and updating vulnerable programs that got exploited, the gateway computer is fine, but, I became unable to connect to the internet on the Thinkpad. The computer at first had limited to no connectivity. After trying a few things it now is constantly acquiring network address. When I try to repair, it says it is unable to be done because my i.p. address cant be renewed. When I try to renew the i.p. address through cmd, there is a message that there is a problem with rpc. I received more instruction here to run Security Check, Malware bytes, GMER and Super Anti-Spyware. I was able to do so by saving those programs to a flash drive on the gateway and then running them on the Thinkpad. I have attached the gmer log. DDS freezes every time I try to use it, so I do not have a log. I was also instructed to post a link to the other topic I was receiving help in.

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

A small box will open, with an explanation about the tool. No input is needed, the scan is running.

Notepad will open with the results.

Follow the instructions that pop up for posting the results.

Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

I am using a gateway computer that isn't infected to type. My issue started when I was browsing with an IBM Thinkpad and I got the fake anti-virus (the sort of thing I've gotten before). I immeditely went to proceses and noticed something called ping.exe that was using a lot of memory. I would end the process and it would reappear a few seconds later. I ran malware bytes but it didn't find anything. I ran Norton Power Eraser and it found something and required a reboot. After a reboot, I still had the infection. I tried system restore and it froze every time and did not complete. I tried registry cleaners that didn't solve the issue. I posted here and after trying more things on the Thinkpad, simultaneously the gateway computer became infected (it seems it was a website I visited) and after a scan, a system restore and updating vulnerable programs that got exploited, the gateway computer is fine, but, I became unable to connect to the internet on the Thinkpad. The computer at first had limited to no connectivity. After trying a few things it now is constantly acquiring network address. When I try to repair, it says it is unable to be done because my i.p. address cant be renewed. When I try to renew the i.p. address through cmd, there is a message that there is a problem with rpc. I received more instruction here to run Security Check, Malware bytes, GMER and Super Anti-Spyware. I was able to do so by saving those programs to a flash drive on the gateway and then running them on the Thinkpad. I have attached the gmer log. DDS freezes every time I try to use it, so I do not have a log. I was also instructed to post a link to the other topic I was receiving help in.

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.Notes:1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

When I first run ComboFix, I get a message stating: combofix has detected the following scanners to be active: Spyware Docor with Anti-virus. I do not know what that is and did a search that went over three hours without finding a progam with that name. I continued with the ComboFix can.

Since not being able to connect to the internet is the issue I'm having, the Windows Recovery Console was unable to be installed on the computer. I continued with the scan.

It took hours to get the message: You are infected with a Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stac. This is a particularly difficult infection. If for any reason that you're unable to connect to the internet after running ComboFix. REboot once and see if that fixes it. If it's not fixed, run ComboFix one more time.

I pressed "ok" and after a few minutes I got another message stating: Rootkit is detected, be patient as this may take some moments. I pressed "ok" and got the previous message. I pressed "ok" again, got another message, but when I pressed "ok" the last time, my computer froze. I waited a few hours to see if anything would change but it did not.

When I rebooted Windows SEcurity center icon showed up in task bar when it had previously not being doing so. When I opened it, my firewall was disabled and I am unable to enable it. I get a message stating: Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service? If I press yes, a message states: Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) service. Also in the Windows Security Center, under "Virus Protection" it says "Spyware Doctor with AntiVirus reports that it is up to date and virus scanning is on. Antivirus software helps protect your computer against viruses and other security threats."

I rebooted again and ran ComboFix and got to the "rootkit detected" messages again and I did not press "ok". The messages alternated by themselves and when the last message showed up it did not go away, but the time on my computer kept going so I knew my computer wasn't frozen. After hours and hours nothing still changed, but the time kept going so I went to bed. When I woke up this morning I saw that the time stopped on the computer at around 3 a.m. I tried ComboFix again in safe mode with networking and it froze again.

GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

NEXT

Please open your MalwareBytes AntiMalware Program

Click the Update Tab and search for updates

If an update is found, it will download and install the latest version.

Once the program has loaded, select "Perform Quick Scan", then click Scan.

The scan may take some time to finish, so please be patient.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and clickRemove Selected. <-- very important

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Here are the logs from GooredFix and Malwarebytes (which was outdated by 121 days since I can't connect to the internet for the update). I can't run the ESET scanner because I can't connect to the internet.

GooredFix by jpshortstuff (03.07.10.1)Log created at 22:43 on 30/12/2011 (Muzik)Firefox version 3.0.19 (en-US)

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of afd. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of afd. The value does not exist.

Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors

Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.